Data Protection under a No Deal Brexit
As of new year, 2019 there will be less than 63 working days until the UK’s departure from the European Union on the Friday 29th of March 2019. It had originally been anticipated that the UK’s formal withdrawal agreement from the EU would have been ratified by a vote in the UK parliament by now. This would have settled a range of issues including things like financial services, immigration and hundreds of other issues associated with the UK departure from the EU but in particular the withdrawal agreement would have settled what would be happening regarding data protection, GDPR and international data transfers for the foreseeable future. Given that there is no Agreement in the UK Parliament for either the withdrawal agreement or any other potential solution to the deadlock caused by the lack of any workable majority for any political party following the UK general election of 2017, the default option, (i.e. the only definite outcome barring agreement of any sort being reached in parliament) no matter how unpopular it may be with certain politicians, inevitably becomes more likely. That default position remains that the UK will depart the EU on the 29th of March 2019 with no deal.
GDPR has already been adopted into UK law thanks to the UK Data Protection Act 2018 and GDPR will remain as the defining standard for data protection in the UK following its withdrawal from the EU regardless of any other events that may take place in 2019. The withdrawal agreement negotiated by the prime minister included a transmission period before a full departure by the UK from the EU and also contained a ‘adequacy decision’ where by the European Commission recognised that the UK as a third country outside of the EU had sufficiently robust data protection laws in place to allow for an unimpeded flow of personal data between the UK and the EU as is currently the case. In the absence of the withdrawal agreement being passed by the UK parliament as well as being agreed by all 27 EU member states, the UK will not benefit from this adequacy decision and will hence be regarded by the EU as a third country which will have a significant impact with regards to data protection and the flow of data between the UK and the EU.
For any UK based organisations that are only handling the personal data of UK citizens, the UK Data Protection Act 2018 will continue to apply and all of the GDPR compliance measures that have been in place since the inception of GDPR on the 25th of May 2018 will continue to apply. If you are a UK based organisation processing data from countries outside of the European Economic Area (EEA members include all EU member states plus Norway, Iceland and Lichtenstein) you will be able to continue to operate as before. Furthermore, if your organisation is sending the personal data of UK citizens to the EU you will also be able to do this unaffected following the UK’s departure from the EU. The following guidance will only apply if your organisation is receiving, storing, processing, reviewing or deleting data of EEA citizens after the 29th of March 2019. The following measures will also apply if your organisation forwards or transmits the personal data or EEA citizens onwards to another country or countries outside of the EEA.
Mechanisms to cover the international transfer of personal data from the EU to the UK.
1. standard contractual clauses (SCC’s).
Standard Contractual Clauses are templated clauses set by the European Commission which have to be included in any contract between your organisation and any third-party organisation within the EEA forwarding the personal data of EEA citizens to the UK. Please note that SCC’s, while applicable in the majority of circumstances, do not apply in all international data transfer scenarios, for example where there are joint controllers or a group of undertakings engaged in joint economic activity. Following a no deal Brexit, this mechanism although sufficient for transfer outside the UK of UK personal data will no longer apply to the transfer outside of the UK of EU personal data.
The effectiveness of SCC’s is further impaired by the fact they are under review by the Court of Justice of the European Union (CJEU) while they have also not been adequality updated by the data protection regulators to reflect the requirements of GDPR. Consequently, SCC’s should be used with care and their use should be regularly reviewed by your DPO or equivalent compliance function to ensure compliance with best practice.
2. Binding corporate rules (BCR’s).
An option for a multinational business is to adopt Binding Corporate Rules in accordance with article 47 of the GDPR. These governance rules allow organisations with a presence both inside and outside the EEA to transfer personal data across their systems and infrastructure in compliance with GDPR. While the implementation process for BCR’s can require substantial resources and time, BCR’s will remain one of the best methods in order to demonstrate compliance with GDPR and the onward transfer of personal data related to EU citizens across a large organisation or corporate group of organisations.
3. Codes of Conduct and Certification mechanisms.
Some UK trade associations and representative bodies may formally approve with the UK ICO Codes of Conduct or Certification mechanisms that would include enforcement and binding rules on any organisation subject to them. Like BCR’s, compliance with codes of conduct or certification schemes may take significant resources and time but will be an excellent way to demonstrate compliance with GDPR.
Actions for organisations to consider under a no deal Brexit.
- Review all applicable third-party contracts where personal data may be sent or received with a third party that is located outside of the UK. Identify where the personal data is being sent to and received from the EEA or whether personal data form the EEA is being sent to any other country outside of the EEA. Make sure that any such contracts contain the applicable SCC’s as mandated by the UK ICO and also that the contracts themselves are correctly signed, dated and enforced. In particular check for any contracts that might include clauses where the transfer of personal data outside of the EEA is prohibited.
- Carry out a data mapping exercise for your organisation to identify where personal data is being set or received outside of the UK and whether this is taking places internally to your organisation or externally to a third party.
- For any organisation relying on SCC’s to transfer EU personal data outside of the EEA to any other third country outside of the EEA, organisations may wish to review the flow of data and potentially change it to ensure it remains in line with GDPR and best practice.
- For any processing of EU citizens data that relies on records of consent obtained by the UK whilst a member of the EU, organisations may wish to consider obtaining more comprehensive specific informed consent as the EU data subjects’ personal data will now be leaving the EEA which would not have been the case prior to Brexit. Organisations should closely review the language used to obtain specific informed consent to see if it permits the transfer of EU data subjects’ personal data outside of the EEA.
- Review and update all applicable privacy policies so they state clearly whether any personal data is being sent outside of the EEA.
- For any organisations with offices in the EEA, ensure you are aware of any specific local privacy laws in that country in addition to GDPR given that the derogations within GDPR allow for some member states to adopt significant local variations in how GDPR is applied.
- If your organisation has offices in other EEA countries and the UK ICO is nominated as your lead supervisory authority (LSA) under the ‘one stop shop’ principle it may necessary to nominate a new LSA. Check with the ICO in the event you need to do this.
Should you wish to look at the implications of Brexit and Data Protection on your organisation, please feel free to email us at: firstname.lastname@example.org
Sources of further information.
European Commission Notice: https://ec.europa.eu/info/sites/info/files/file_import/data_protection_en.pdf
UK Government Technical Notice: https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal
Standard Contractual Clauses (SCC’s): https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en